hijack.autoconfigurl.prxysvrrst Malware

[Jurionx]

I found recently that my Chrome/FireFox browser no longer functions normally when I am searching for something on Google, it takes longer and I can see that something is redirecting my proxy settings (or something similar), logging me out of my Google account and giving me different search results. I bought and downloaded MBAM, ran a scan, the first time results came out for a malware, hijack.autoconfigurl.prxysvrrst, and it was quarantined, everything was fine. 

However the next day, the problem was back again, and running MBAM and all the prescribed programs turned up nothing, but the problem persists. I have attached all the relevant logs, hope you guys can help me out. Thanks!

04052016.txt

AdwCleaner[C2].txt

FRST.txt

Addition.txt

[Jurionx]

Further scans reveal the malware to be here, in my registry, deleting it does nothing, it comes back.

[Jurionx]

Addition.txt shows that I have utorrent installed, I have uninstalled it as per the guidelines stated here.

[Jurionx]

 

36 minutes ago, razerphynx said:

The weirdest thing here is, I just had the exact same thing and at the exact same time.

It could be something I torrented, however, I don't recall downloading anything in the few days before and after I become aware of the malware

[AlexSmith]

Most of these types of infections will use group policies, a registry.pol file, or a Scheduled Task that uses Command Prompt, PowerShell, or wscript to re-add itself. Sometimes it can also be a rootkit or a compromised application that may have been obtained from unofficial channels.

You may want to utilize Sysinternals Autoruns to see if you find anything out of place from the Scheduled Tasks front.

@TwinHeadedEagle and @AdvancedSetup, any thoughts?

[AdvancedSetup]

I will assist you  with cleanup  later tonight when I get back from dinner with the family.

For now let me have you get started with the following.  Thanks

 

 

Please read the following and post back the logs when ready and we'll see about getting you cleaned up.

Before we proceed further, please read all of the following instructions carefully.
If there is anything that you do not understand kindly ask before proceeding.
If needed please print out these instructions.

• Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text.
• If the log is too large then you can use attachments by clicking on the More Reply Options button.
• Please enable your system to show hidden files: How to see hidden files in Windows
• Make sure you're subscribed to this topic:
• Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly
• Removing malware can be unpredictable...It is unlikely but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive
• Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you.
• The removal of malware is not instantaneous, please be patient. Often we are also on a different Time Zone.
• Perform everything in the correct order. Sometimes one step requires the previous one.
• If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue.
• You can check here if you're not sure if your computer is 32-bit or 64-bit
• Please disable your antivirus while running any requested scanners so that they do not interfere with the scanners.
• When we are done, I'll give you instructions on how to cleanup all the tools and logs
• Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.
• Your topic will be closed if you haven't replied within 3 days
• (If I have not responded within 24 hours, please send me a Private Message as a reminder)

STEP 01
RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes
so that your normal security software can then run and clean your computer of infections.
When RKill runs it will kill malware processes and then removes incorrect executable associations and fixes policies
that stop us from using certain tools. When finished it will display a log file that shows the processes that were
terminated while the program was running.

As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot
your computer as any malware processes that are configured to start automatically will just be started again.
Instead, after running RKill you should immediately scan your computer using the requested scans I've included.

Please download Rkill by Grinler from one of the links below and save it to your desktop.

Link 1 | Link 2

• On Windows XP double-click on the Rkill desktop icon to run the tool.
• On Windows Vista/Windows 7 or 8, right-click on the Rkill desktop icon and select Run As Administrator
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• If the tool does not run from any of the links provided, please let me know.
• Do not reboot the computer, you will need to run the application again.

STEP 02
Backup the Registry:
Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

• Please download ERUNT from one of the following links: Link1 | Link2 | Link3
• ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
• Double click on erunt-setup.exe to Install ERUNT by following the prompts.
• NOTE: Do not choose to allow ERUNT to add an Entry to the Startup folder. Click NO.
• Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
• Choose a location for the backup.
  • Note: the default location is C:\Windows\ERDNT which is acceptable.
• Make sure that at least the first two check boxes are selected.
• Click on OK
• Then click on YES to create the folder.
• Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe

STEP 03
Please run a Threat Scan with MBAM. If you're unable to run or complete the scan as shown below please see the following:
MBAM Clean Removal Process 2x
When reinstalling the program please try the latest version.

Right click and choose "Run as administrator" to open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.

 

 

[Jurionx]

Thank you!

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 6/5/2016
Scan Time: 1:27 PM
Logfile: 
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.05.06.01
Rootkit Database: v2016.04.17.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Enabled

OS: Windows 10
CPU: x64
File System: NTFS
User: Junhao

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 419925
Time Elapsed: 14 min, 25 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

[AdvancedSetup]

Please run the AdwCleaner again and post back the new log.

Then restart the computer again and run FRST again and make sure you place a check mark in the Additions check box and attach both new logs on your next reply.

Thanks

 

 

[Jurionx]

# AdwCleaner v5.115 - Logfile created 06/05/2016 at 15:59:24
# Updated 01/05/2016 by Xplode
# Database : 2016-05-04.2 [Server]
# Operating system : Windows 10 Home  (X64)
# Username : Junhao - JUNHAO-PC
# Running from : C:\Users\Junhao\Desktop\Tools\adwcleaner_5.115.exe
# Option : Clean
# Support : http://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

[-] Folder Deleted : C:\Users\Junhao\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchmpbaclbiioedakpcldenooikekokm
[-] Folder Deleted : C:\Users\Junhao\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfnbcaeplbcioakkpcpgfkobkghlhen
[-] Folder Deleted : C:\Users\Junhao\AppData\Local\Google\Chrome\User Data\Default\Extensions\chphlpgkkbolifaimnlloiipkdnihall

***** [ Files ] *****

[-] File Deleted : C:\Users\Junhao\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_dchmpbaclbiioedakpcldenooikekokm_0.localstorage
[-] File Deleted : C:\Users\Junhao\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_dchmpbaclbiioedakpcldenooikekokm_0.localstorage-journal
[-] File Deleted : C:\Users\Junhao\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dchmpbaclbiioedakpcldenooikekokm
[-] File Deleted : C:\Users\Junhao\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_kbfnbcaeplbcioakkpcpgfkobkghlhen_0.localstorage
[-] File Deleted : C:\Users\Junhao\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_kbfnbcaeplbcioakkpcpgfkobkghlhen_0.localstorage-journal
[-] File Deleted : C:\Users\Junhao\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_chphlpgkkbolifaimnlloiipkdnihall_0.localstorage
[-] File Deleted : C:\Users\Junhao\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_chphlpgkkbolifaimnlloiipkdnihall_0.localstorage-journal

***** [ DLLs ] *****

***** [ WMI ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

***** [ Web browsers ] *****

[-] [C:\Users\Junhao\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : chphlpgkkbolifaimnlloiipkdnihall
[-] [C:\Users\Junhao\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : dchmpbaclbiioedakpcldenooikekokm
[-] [C:\Users\Junhao\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : kbfnbcaeplbcioakkpcpgfkobkghlhen

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C3].txt - [2664 bytes] - [06/05/2016 15:59:24]
C:\AdwCleaner\AdwCleaner[S3].txt - [2649 bytes] - [06/05/2016 15:58:05]

########## EOF - C:\AdwCleaner\AdwCleaner[C3].txt - [2810 bytes] ##########



 

[Jurionx]

Here's the FRST logs

FRST.txt

Addition.txt

[AdvancedSetup]

Well I would love to continue to assist you in removing this however the logs indicate this computer is being used to pirate software from Adobe.

 

127.0.0.1 3dns-1.adobe.com
127.0.0.1 3dns-2.adobe.com
127.0.0.1 3dns-2.adobe.com
127.0.0.1 3dns-3.adobe.com
127.0.0.1 3dns-3.adobe.com
127.0.0.1 3dns-4.adobe.com
127.0.0.1 3dns.adobe.com
127.0.0.1 activate-sea.adobe.com
127.0.0.1 activate-sea.adobe.com
127.0.0.1 activate-sjc0.adobe.com
127.0.0.1 activate-sjc0.adobe.com

 

[AdvancedSetup]

This topic will now be closed due to evidence of cracked or pirated software on this system.Piracy Policy

[AdvancedSetup]

Topic reopened per request

[AdvancedSetup]

Please uninstall all versions of Java then run the following.

 

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

[Jurionx]

Fix result of Farbar Recovery Scan Tool (x64) Version:09-05-2016
Ran by Junhao (2016-05-10 10:52:05) Run:1
Running from C:\Users\Junhao\Desktop
Loaded Profiles: Junhao &  (Available Profiles: Junhao & DefaultAppPool)
Boot Mode: Normal
==============================================

fixlist content:
*****************
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 0 <======= ATTENTION (Restriction - ProxySettings)
AutoConfigURL: [HKLM-x32] => hxxp://xn--koa.net/proxy.pac
Hosts:
EmptyTemp:
Reboot:

*****************

HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxySettingsPerUser => value removed successfully
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\\AutoConfigURL => value removed successfully
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
EmptyTemp: => 1.3 GB temporary data Removed.

The system needed a reboot.

==== End of Fixlog 10:52:22 ====

Thanks!

[AdvancedSetup]

Okay let's go ahead now and look for and cleanup any other items that might possibly be on the system.

 

Please go ahead and run through the following steps and post back the logs when ready.

STEP 04
Please download Junkware Removal Tool to your desktop.

• Shutdown your antivirus to avoid any conflicts.
• Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next reply message
• When completed make sure to re-enable your antivirus

STEP 05
Lets clean out any adware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

• Double click on AdwCleaner.exe to run the tool.
  Vista / Windows 7/8 users right-click and select Run As Administrator
• Click on the Scan button.
• AdwCleaner will begin...be patient as the scan may take some time to complete.
• When it's done you'll see: Pending: Please uncheck elements you don't want removed.
• Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
• Look over the log especially under Files/Folders for any program you want to save.
• If there's a program you may want to save, just uncheck it from AdwCleaner.
• If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
• If you're ready to clean it all up.....click the Clean button.
• After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
• Copy and paste the contents of that logfile in your next reply.
• A copy of that logfile will also be saved in the C:\AdwCleaner folder.
• Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
• To restore an item that has been deleted:
• Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.

STEP 06


Please go here to run the online antivirus scannner from ESET.

• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked
• Click on Advanced Settings and ensure these options are ticked:
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Click Scan
• Wait for the scan to finish
• If any threats were found, click the 'List of found threats' , then click Export to text file....
• Save it to your desktop, then please copy and paste that log as a reply to this topic.

STEP 07
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

 

 

[Jurionx]

The attached files for all the scans are attached.

Unfortunately after the first removal via FRST, the malware is back. 

JRT.txt

AdwCleaner[C4].txt

ESET.txt

Addition.txt

FRST.txt

[AlexSmith]

@Jurionx, can you perform the following?

Creating a Sysinternals AutoRuns Data File (.ARN)
Sysinternals AutoRuns is an advanced tool for managing startup items as well as manual malware/hijack identification and remediation. Think of it as MSConfig and certain parts of Task Manager on steroids. To get the most out of this tool, the current state of your PC needs to be exported then analyzed by a professional. The steps below will walk you through this process.

1. Download Sysinternals AutoRuns from here: https://live.sysinternals.com/autoruns.exe
2. Right click AutRuns.exe and select "Run as Administrator". Click Yes at the UAC prompt.
3. Allow Sysinternals AutoRuns to scan the system then click the Save icon in the toolbar (or go to File > Save or click Ctrl+s).
4. Save the current scan as an ARN file (default setting)
5. Post the ARN as an attachment on a follow up post.

[Jurionx]

22 minutes ago, AlexSmith said:

@Jurionx, can you perform the following?

Creating a Sysinternals AutoRuns Data File (.ARN)
Sysinternals AutoRuns is an advanced tool for managing startup items as well as manual malware/hijack identification and remediation. Think of it as MSConfig and certain parts of Task Manager on steroids. To get the most out of this tool, the current state of your PC needs to be exported then analyzed by a professional. The steps below will walk you through this process.

1. Download Sysinternals AutoRuns from here: https://live.sysinternals.com/autoruns.exe
2. Right click AutRuns.exe and select "Run as Administrator". Click Yes at the UAC prompt.
3. Allow Sysinternals AutoRuns to scan the system then click the Save icon in the toolbar (or go to File > Save or click Ctrl+s).
4. Save the current scan as an ARN file (default setting)
5. Post the ARN as an attachment on a follow up post.

 

Here you go @AlexSmith

 

PC.rar

[AlexSmith]

That looks clean too. Do any of the following files exist?
 

• c:\Windows\System32\GroupPolicy\Machine\registry.pol

• c:\Windows\\System32\GroupPolicy\User\registry.pol

[Jurionx]

21 minutes ago, AlexSmith said:

That looks clean too. Do any of the following files exist?
 

• c:\Windows\System32\GroupPolicy\Machine\registry.pol

• c:\Windows\\System32\GroupPolicy\User\registry.pol

 

Nope, the Group Policy folder is empty.

[AlexSmith]

Darn. Something is obviously bringing this back. My guess is that it's coming back via something that looks legitimate, but isn't.

When I want to track down what's recreating an object (e.g. registry setting, a particular file, etc.), I usually use Sysinternals ProcMon to record/capture me deleting it and it getting recreated. Then sifting through that log will help me find out what process re-created that object.

If you want to take a stab at that, please do. If you need a second set of eyes on your ProcMon log, upload it.

Edited May 10, 2016 by AlexSmith

[Jurionx]

@AlexSmith How would I go about doing that though? I am afraid of deleting something important!

[AlexSmith]

How to Use Sysinternals Process Monitor (ProcMon) to Capture Stuff
Process Monitor is a very powerful tool that monitors and records file operations, registry operations, and network activity that is occurring via any currently running process or thread. This is a great expert "detective" tool in helping uncover what may be causing an application to crash, fail at performing a common operation, or uncovering malware that is doing something evil. This tool can be overwhelming and usually requires an expert to fully utilize it and interpret the results.

The directions below will cover how to create a ProcMon log that an expert can analyze. Make sure to stage everything ahead of time for the task you need to capture/record. This will reduce the size of the log file created and improve an experts ability to analyze the log results.

Prepare/stage everything needed to perform the task you need to record/capture. Close out any applications that are not needed to perform this task to reduce noise in the log file.

1. Download Sysinternals ProcMon from here: http://live.sysinternals.com/Procmon.exe
2. Run ProcMon.exe as Administrator and select Yes at the UAC prompt
3. ProcMon will start Capturing/Recording immediately, so perform the task(s) and/or operations(s) you need to capture/record.
4. Once complete, go to ProcMon and stop capturing by selecting the Magnifying Class icon or by pressing CTRL+e (or File > Capture Events).
5. Click on the Save icon (or File > Save) and click Ok. DO NOT CHANGE ANY OF THE DEFAULT SAVE OPTIONS.
6. Upload the .PML file created. You may need to compress it in a Zip or 7z file to save space.

For you specific situation, you would have Regedit ready to go then delete that AutoConfigURL entry then refresh RegEdit until it comes back. That's the task you want to record/capture.

Edited May 10, 2016 by AlexSmith

[AdvancedSetup]

This tool here can restore those settings too.

HKU\S-1-5-21-873992969-3596144569-818968434-1000\...\Run: [GUDelayStartup] => E:\Program Files (x86)\Glary Utilities 5\StartupManager.exe [43984 2016-04-18] (Glarysoft Ltd)

This is a Torrent program designed to watch content (typically not legal) that could potentially be injecting the change. Please delete that service. AutoRuns can do that for you if you like. I would recommend that you uninstall Popcorn Time (AdwCleaner already removed parts of it)

S2 Update service; C:\Program Files (x86)\Popcorn Time\Updater.exe [X]

 

From an elevated Admin command prompt type the following and press the Enter key.

netsh winhttp  reset proxy

 

You have a driver for Emsisoft still set as a service but it does not look like you have Emsisoft installed so I'd recommend removing that too.

S1 epp; \??\C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\epp.sys [X]

 

The same for this which is part of Popcorn Time (PornTime) and has it's own uninstaller.

The Event Logs are showing networking issues as well that should be addressed.

Error: (05/10/2016 02:33:20 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.

 

 

Please download MiniToolBox save it to your desktop and run it.

Checkmark the following check-boxes:

• Flush DNS
• Report IE Proxy Settings
• Reset IE Proxy Settings
• Report FF Proxy Settings
• Reset FF Proxy Settings
• List content of Hosts
• List IP configuration
• List Winsock Entries
• List last 10 Event Viewer log
• List Installed Programs
• List Devices
• List Users, Partitions and Memory size.
• List Minidump Files

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using Reset FF Proxy Settings option Firefox should be closed.

 

 

 

Please visit each of the following sites and lets reset all of your browsers back to defaults to prevent unexpected issues.
If you are not using one of the browsers but it is installed then you may want to consider uninstalling it as older versions of some software can pose an increase in the potential for an infection to get in.

Internet Explorer
How to reset Internet Explorer settings

Firefox
Click on Help / Troubleshooting Information then click on the Reset Firefox button.

Chrome
Start by disabling Sync
How To Delete Your Google Chrome Browser Sync Data
Chrome - Reset browser settings
If that fails then Uninstall Google Chrome and do not reinstall until sure the system is clean.

 

 

Edited May 10, 2016 by AdvancedSetup